# YR\_DB\_RUNTIME\_VERIF: A FRAMEWORK FOR VERIFYING SQL CORRECTNESS PROPERTIES OF GUI SOFTWARE AT RUNTIME

Xavier Noumbissi Noundou

yeroth.d@gmail.com

Abstract. Software correctness properties are essential to maintain quality by continuous and regressive integration testing, as well as runtime monitoring the program after customer deployment. This paper presents an effective and lightweight C++ program verification framework: YR\_DB\_RUNTIME\_VERIF, to check SQL (Structure Query Language) [30] software correctness properties specified as temporal safety properties [11]. A temporal safety property specifies what behavior shall not occur, in a software, as sequence of program events. YR\_DB\_RUNTIME\_VERIF allows specification of a SQL temporal safety property by means of a very small state diagram [29]; such a state diagram, would only be specified by a start and an accepting state, and by a pre- and post-condition on the state diagram transition between them. In YR\_DB\_RUNTIME\_VERIF, a specification characterizes effects of program events (via SQL statements) on database table columns by means of set interface operations  $(\in, \notin)$ , and, enable to check these characteristics hold or not at runtime. Integration testing is achieved for instance by expressing a state diagram that encompasses both Graphical User Interface (GUI) states and MySQL [25] databases queries that glue them. For example, a simple specification would encompass states between 'Department administration' and 'Stock listing' GUI interfaces, and transitions between them by means of MySQL databases operations. YR\_DB\_RUNTIME\_VERIF doesn't generate false warnings; YR\_DB\_RUNTIME\_VERIF specifications are not desirable (forbidden) specifications (fail traces). This paper focuses its examples on MySQL database specifications, labeled as states diagrams events, for the newly developed and FOSS (Free and Open Source Software) Enterprise Resource Planing Software YEROTH-ERP-3.0 [26].

**Keywords:** model—based testing  $\cdot$  reactive system analysis  $\cdot$  computer software program analysis  $\cdot$  computer software dynamic program analysis  $\cdot$  software integration testing with SQL and GUI  $\cdot$  runtime monitoring

#### 1 Introduction

#### 1.1 Motivations

This paper describes an effective dynamic analysis framework, based on runtime monitors specified in C++ programs (implemented in the software library yr\_sd\_runtime\_verif), to perform software temporal safety property checking of GUI (Graphical User Interface) based software.

GUI based software are very comfortable and handy to use. However, tools to perform temporal safety property verification of GUI software are allmost not available as FOSS. The testing of combinations between GUI windows and database queries that glue them to make sense to the user, is allmost unavailable as FOSS, or at all to the best of the knowledge of the author of this paper. The FOSS C++ library libfsmtest [5] provides test suite generation support for source code behavior specifications as mealy automata. However, libfsmtest only allows for desirable correctness properties, and doesn't provide GUI (interaction) support or as plugin-based.

Unit or integration testing for GUI widgets is available by use of "NUnit" testing frameworks like e.g. Qt-Test [1], CppUnit [20], etc.. Software testing across GUI widgets (and MySQL queries) is however limited in support by these "NUnit" framework. To the best of the knowledge of the author of this paper, DejaVu [4] provides some support for Java'record and replay' testing while FROGLOGIC [14] provides support for C++ GUI software 'record and replay' testing technology. 'Record and replay' testing means a user performs a sequence of events that are recorded by testing infrastructure and automatically replay later on to see if expected events thereof occur. However, none of this 'record and replay' technology tool enable temporal safety property specification as FOSS, with SQL as plugin.

As we will see in the related work, section 7, of this paper, most of software correctness property checking frameworks don't put an emphasis on checking temporal safety property of GUI software. Characterizing the effects of program statements (via SQL statements) on database table columns, and to check that these characteristics hold or not, is of predominant importance for large software systems with an impressive number of database tables. YEROTH-ERP-3.0 has for instance 60 user interfaces (windows, dialogs), 38 SQL tables, 320 SQL table columns, and about 300,000 source lines of code.

It means it can be very difficult for developers to keep application related logical requirements between the tables without appropriate software testing or analysis tools.

A large amount of former work on runtime monitoring assumes for a sequential program, or an abstraction of the program as one single source code, on which program analysis is performed [7,9,3,6,10].

The program analysis technique the author of this paper presents here abstract SQL events, GUI events, or sequences of them, as a state diagram, and enables developers to run them sequentially against a runtime monitor specified as a C++ program. In particular, the example presented in Section 2 specifies results of

GUI windows events as SQL database pre-conditions on state diagram transitions; SQL events are specified as state diagram transition events.

#### 1.2 Main Contributions

This paper presents 3 original main contributions:

- an industrial level quality framework (YR\_DB\_RUNTIME\_VERIF: https://github.com/yerothd/yr-db-runtime-verif), that solves temporal property verification by dynamic program analysis. YR\_DB\_RUNTIME\_VERIF makes use of the C++ Qt-Dbus library, to input a runtime monitor specification (yr\_sd\_runtime\_verif) as C++ program code, that also enables software-library-plugin checks;
- a C++ library: yr\_sd\_runtime\_verif (https://github.com/yerothd/yr\_sd\_runtime\_verif); modeling a state diagram runtime monitoring interface using only set algebra inclusion operations (∈, ∉) for state diagram program state specification as pre- and post-conditions.
  - yr\_sd\_runtime\_verif only enables the specification of states diagrams specifications as not desirable (forbidden) behavior specifications (fail traces). Thus, YR\_DB\_RUNTIME\_VERIF doesn't generate any false warning. A violation of a safety rule has been found whenever a final state could be reached. On the other hand, not reaching a final state doesn't mean that there is not a test case (or test input) that cannot reach this final state.
- An application of YR\_DB\_RUNTIME\_VERIF to check 1 temporal safety property error, found in the ERP FOSS YEROTH-ERP-3.0.

#### 1.3 Overview

This paper is organized as follows: Section 2 presents a motivating example that will be used throughout this paper to explain the presented concepts of this paper. Section 3 presents formal definitions of the principal concepts used in this paper. Section 4 presents the software architecture of YR\_DB\_RUNTIME\_VERIF, our GUI dynamic analysis framework. Section 5 introduces the C++ software library yr\_sd\_runtime\_verif to model states diagrams, and reused by YR\_DB\_RUNTIME\_VERIF. We evaluate our dynamic runtime analysis in Section 6. Section 7 compares this paper with other papers that achieve similar work or endeavors. Section 8 concludes this paper.

### 2 Motivating Example: missing department definition

Fig. 1: A motivating example, as current bug in YEROTH–ERP–3.0.  $\underline{Q0} := \text{NOT\_IN\_PRE}(\text{YR\_ASSET}, \text{department\_department\_name}).$   $\overline{\overline{Q1}} := \text{IN POST}(\text{YR ASSET}, \text{stocks.department name}).$ 



Fig. 2: YEROTH-ERP-3.0 administration section displaying departments ( $\neg Q0$ ).



Fig. 3: YEROTH-ERP-3.0 stock asset window listing some assets  $(\overline{Q1})$ .



## ${\bf 2.1} \quad {\bf The \ Enterprise \ Resource \ Planing \ Software \ YEROTH-ERP-3.0}$

YEROTH-ERP-3.0 is a fast, yet very simple in terms of usage, installation, and configuration Enterprise Resource Planing Software developed by Noundou et al. [26] for very small, small, medium, and large enterprises. YEROTH-ERP-3.0

Fig. 4: YR\_DB\_RUNTIME\_VERIF command line shell output demonstrating that a final state has been reached (Section 6 analyzes these results).

is developed using C++ by means of the Qt development library. YEROTH–ERP-3.0 is a large software with around 300 000 (three hundred thousands) of physical source lines of code. YR\_DB\_RUNTIME\_VERIF could be used for integration testing of YEROTH–ERP-3.0, among different software modules.

#### 2.2 Example Temporal Safety Property

The motivating example of this paper consists of the temporal safety property stipulating that "A DEPARTMENT SHALL NOT BE DELETED WHENEVER STOCKS ASSET STILL EXISTS UNDER THIS DEPARTMENT". This statement means that a user shall be denied the removal of department 'YR\_ASSET' in Figure 2 because there are still a stock asset listed within department 'YR\_ASSET', as illustrated in Figure 3. Figure 1 illustrates the above temporal safety property as a simple state diagram.

**State Diagram Explanation** 'D' is a *start* state as illustrated by an arrow ending on its state shape. 'E' is a *final* (error, or accepting) state as illustrated by a double circle as state shape.

The pre-condition Q0 (as a predicate) in state 'D':

'NOT IN PRE(YR ASSET, department.department name)' means:

a department named 'YR\_ASSET' is not in column 'department\_name'
 of database table 'department'. This might happen whenever button 'Delete'
 in Figure 2 is pressed when item 'YR ASSET' is selected.

Similarly, the post-condition  $\overline{Q1}$  (as a predicate) 'IN\_POST(YR\_ASSET, stocks.department name)', in accepting state 'E', means:

a department named 'YR\_ASSET' is in column 'department\_name'
 of database table 'stocks'.

The state diagram event transition in Figure 1: 'select.department' denotes that when in 'D', a SQL 'select' on database table 'department' has occurred; 'E' is then reached as an *accepting state*. The source code specified in Listing 1.3 also illustrates a specification in C++ using software library yr\_sd\_runtime\_verif of the state diagram specification above.

#### 2.3 YR\_DB\_RUNTIME\_VERIF Analysis Report

The motivating example automaton in Figure 1 is analyzed by **YR\_DB\_RUNTIME\_VERIF** as follows:

- Whenever department 'YR\_ASSET' is deleted in YEROTH–ERP–3.0, as done in Figure 2, the runtime monitor state 'D' with a state condition  $\underline{Q0}$  is entered
- when MySQL library (plugin) event 'select.department' occurs, in Figure 2 because of YEROTH-ERP-3.0 displaying the remaining product departments, the guarded condition for edge event 'select.department' is automatically evaluated to 'True' by C++ library yr\_sd\_runtime\_verif, because no other guarded condition was specified by the developer
- yr\_sd\_runtime\_verif enters the runtime monitor state to 'E' and state condition  $\overline{Q1}$  via method YR\_trigger\_an\_edge\_event(QString an\_edge\_event) because there are still assets (yeroth\_asset\_3) left within product department 'YR\_ASSET', as illustrated in Figure 3. 'E' is then an accepting (or final or error) state.

Figure 4 illustrates an analysis result of the afore described process, which gets evaluated and described in Evaluation Section 6.

# 2.4 Runtime Analysis Interpretation Of yr\_sd\_runtime\_verif Models By YR\_DB\_RUNTIME\_VERIF

The framework YR\_DB\_RUNTIME\_VERIF assumes the following characteristics of a specification automaton in order to enable proper software integration testing:

- the state diagram automaton only has 2 states: a start and a final state;
- at most 1 state diagram transition pre-condition on the start state
- exactly 1 post-condition on the final state, *that must hold*, when the state diagram automaton reaches this final state
- exactly one state diagram transition between the start and the final state
- no edge guard condition

Future releases of  $yr\_sd\_runtime\_verif$  will extend 2-states states diagrams mealy machines in order to have states diagrams with more than only 2 states.

#### 3 Formal Definitions

yr\_sd\_runtime\_verif's formal description of the state diagram formalism follows *Mealy machine* [29] added with *accepting states* (*final or erroneous state*), and state diagram transition pre- and post-conditions. Another excellent, detailed with proofs and theory presentation of mealy automata [27] is available. In comparison to statechart [16], which is a visual formalism for states diagrams, yr\_sd\_runtime\_verif doesn't support for instance the following features: hierarchical states (composite state, submachine state), timing conditions.

**Definition 1.** A state diagram is a 8-tuple  $(S, S_0, C, \Sigma, \Lambda, \delta, T, \Gamma)$  where:

- S: a finite set of states
- $-\mathbf{S_0} \in S$ : a start state (or initial state)
- C: a set of predicate conditions; pre-conditions are underlined (e.g.:  $\underline{Q0}$ ), and post-conditions are overlined (e.g.:  $\overline{Q1}$ ). A pre-condition is comparable to a Harel-statechart guard condition.
- $\Sigma$ : an input alphabet,  $\Sigma := \{False, True\}$ .

  'False' means no input from SUT into  $YR\_DB\_RUNTIME\_VERIF$ .

  'True' means any input could come from SUT.
- $\Lambda$ : an output alphabet (of program events  $e_n(n \in \mathbb{N})$ ),  $\phi$  the no program event. A program event generally corresponds to a function or method call at a SUT source code statement (or program point).
- $-\delta: S \times C$ : a 2-ary relation that maps a state s to a state-condition c as either a state diagram transition pre-condition ( $\underline{c}$ ), or as a state diagram transition post-condition ( $\overline{c}$ ).
- $\mathbf{T}: S \times \Sigma \to S \times \Lambda$ : a transition function that maps an input symbol to an output symbol and the next state.
- $\Gamma$ : a set of accepting states;  $\Gamma \in S$ .

For instance, for the motivating example described in Figure 1 we have:

**Definition 2.** A pre-condition of a state diagram transition is a predicate that must be true before the transition can be triggered. A pre-condition  $\underline{Q0}$  could have 2 forms:

- $\underline{Q0}$  := IN\_PRE(X, Y) that means value "X" is in (∈) database column value set "Y".
- $\underline{Q0}$  := NOT\_IN\_PRE(X, Y) that means value "X" is not in ( $\notin$ ) database column value set "Y".

**Definition 3.** A post-condition of a state diagram transition is a predicate that must be true after the transition was triggered. A post-condition  $\overline{Q1}$  could have 2 forms:

- $-\overline{Q1}$  := IN\_POST(A, B) that means value "A" is in (∈) database column value set "B".
- $-\overline{Q1}$  := NOT\_IN\_POST(A, B) that means value "A" is not in ( $\notin$ ) database column value set "B".

**Definition 4.** A trace  $T_n = \langle e^0, e^1, ...e^n \rangle$  is a sequence of SUT events (or SUT program points)  $e^i (i \in \{0,...,n\})$  of length  $n.\ trace(D)$  is the trace of SUT events up to state D. For instance, for the motivating example described in Figure 1 we have:  $trace(D) = \langle \cdot \rangle$ ,  $trace(E) = \langle \cdot \rangle$  select.department' >.

Proposition 1: NO FALSE WARNINGS. yr\_sd\_runtime\_verif only allows 1 outgoing edge or transition for a state in its specifications, and for *not desirable (forbidden) behavior*, as illustrated in Figure 1. There is no need to specify the red colored edge in Figure 1 because it represents runtime cases where no input events arrive from SUT into YR\_DB\_RUNTIME\_VERIF. These 2 properties, together with algorithm 'YR\_trigger\_an\_edge\_event(QString an\_edge\_event)' (Listing 1.1) of yr\_sd\_runtime\_verif, ensures that there are no false warnings during YR\_DB\_RUNTIME\_VERIF analyses. For example, the runtime monitoring or verification systems [7,9,3,6,10] may give false warnings.

Listing 1.1: C++ Pseudo-code for YR\_trigger\_an\_edge\_event(QString an\_edge\_event): yr\_sd\_runtime\_verif method for triggering state diagram events (edges or transitions).

```
bool MONITOR::YR_trigger_an_edge_event(QString an_edge_event)
2
3
        MONITOR_EDGE cur_OUTGOING_EDGE = _cur_STATE.outgoing_edge();
4
        5
6
7
            8
9
10
            if (precondition_IS_TRUE)
11
12
               set current triggered EDGE(cur OUTGOING EDGE);
13
14
               \begin{array}{lll} MONITOR\_STATE\ a\_potential\_accepting\_state = \\ cur\_OUTGOING\_EDGE.get\_TARGET\_STATE(); \end{array}
15
16
17
               \mathbf{if}\ (\mathrm{CHECK\_whether}\_\ \mathrm{STATE}\_\ \mathrm{is}\_\ \mathrm{Final}(\mathrm{a\_potential}\_\ \mathrm{accepting}\_\mathrm{state}))
18
19
                   CALL BACK final state FUNCTION(a potential accepting state);
20
21
22
               return true;
23
^{24}
25
        return false:
26
```

#### 4 The Software Architecture of YR-DB-RUNTIME-VERIF

Fig. 5: **YR\_DB\_RUNTIME\_VERIF**: simplified software system architecture.



Fig. 6: **YR\_DB\_RUNTIME\_VERIF** and SUT socket communication (diagram inspired from Jan Peleska diagram—work).



#### 4.1 Dynamic Analysis

SUT Source Code Instrumentation. YR\_DB\_RUNTIME\_VERIF runs as a separate Debian Linux process from the application to dynamically analyze (YEROTH-ERP-3.0 in this case). Figure 5 illustrates a software system architecture layer of a software system that uses YR\_DB\_RUNTIME\_VERIF. Figure 5 and Figure 6 illustrate how YEROTH-ERP-3.0 is instrumented to send MySQL database events, as they occur on due to the GUI of YEROTH-ERP-3.0, to process YR\_DB\_RUNTIME\_VERIF, so it can perform runtime analysis of the monitor implemented within it.

**Debugging Information.** Each GUI manipulation of YEROTH-ERP-3.0 in its instrumented source code part could generate a state transition within the analyzed runtime monitor state diagram in YR\_DB\_RUNTIME\_VERIF. Visualize "line 35" of Figure 4 to observe that a specific analysis message is sent to the console of YR\_DB\_RUNTIME\_VERIF in cases where a final state has been reached; the message at "line 33" is for an accepting (final) state of the state diagram specification of the motivating example presented in Figure 1.

SQL Event Dbus Method Interface. YR\_DB\_RUNTIME\_VERIF currently only handles 4 SQL events: DELETE, INSERT, UPDATE, SELECT.

#### 4.2 A Runtime Monitor (An Analysis Client)

Listing 1.2: "XML file adaptor for YEROTH-ERP-3.0 test cases (reduced from 4 to only 1 SQL event for paper)."

Fig. 7: YR\_DB\_RUNTIME\_VERIF: simplified class diagram in UML [8].



An user (an analysis client) of YR\_DB\_RUNTIME\_VERIF needs to subclass class YR\_DB\_RUNTIME\_VERIF\_Monitor. The UML class diagram in Figure 7 displays the class structure of YR\_DB\_RUNTIME\_VERIF. Qt-Dbus communication adaptor IYRruntimeverificationAdaptor shall be generated by the user of this library (on YR\_DB\_RUNTIME\_VERIF side) using Qt-Dbus command qdbusxml2cpp and an XML file, similar to the one displayed in Listing 1.2:

An analysis client must first override method 'DO\_VERIFY\_AND\_or\_CHECK\_ltl\_PROPERTY' of class 'YR\_DB\_RUNTIME\_VERIF\_Monitor' so to implement a checking algorithm for each event received from SUT, as for instance the events illustrated in Figure 1 of the motivating example. The analysis client then calls method 'YR\_trigger\_an\_edge\_event(QString an\_edge\_event)' (Listing 1.1) of class 'YR\_CPP\_RUNTIME\_MONITOR' of C++ library yr\_sd\_runtime\_verif for each corresponding state diagram transition event.

# 5 yr\_sd\_runtime\_verif: A C++ Library to Model States Diagrams

Fig. 8: Class diagram in UML [8] to model a State Transition Diagram.



Fig. 9: Class diagram in UML [8] to model state diagram transition trace conditions in yr\_sd\_runtime\_verif code.



#### 5.1 Structure Of yr\_sd\_runtime\_verif

yr\_sd\_runtime\_verif is a state diagram C++ library the author of this paper created to work with the dynamic analysis program YR\_DB\_RUNTIME\_VERIF. Figure 8 and Figure 9 represent the class structure, in UML, of yr\_sd\_runtime\_verif. Listing 1.3 shows the C++ code that models the motivating example in Figure 1, and that uses runtime monitoring C++ state diagram library yr\_sd\_runtime\_verif.

There is no need to write C++ code for the red specified edge of Figure 1; this represents runtime cases where no input event arrives from SUT into  $YR\_DB\_RUNTIME\_VERIF$ .

#### 5.2 Methods for Pre- and Post-Condition Specifications

Table 1: yr\_sd\_runtime\_verif Methods for Pre-/Post-Condition Specification

| Class YR_CPP_MONITOR_EDGE Methods                                                              | Utility                               |
|------------------------------------------------------------------------------------------------|---------------------------------------|
| $\boxed{ \mathbf{set\_PRE\_CONDITION\_notIN}(\operatorname{QString},\operatorname{QString}) }$ | sets a NOT IN DATABASE pre-condition  |
| set_PRE_CONDITION_IN(QString, QString)                                                         | sets an IN DATABASE pre-condition     |
| $\begin{tabular}{ c c c c c c c c c c c c c c c c c c c$                                       | sets a NOT IN DATABASE post-condition |
| $\begin{tabular}{ c c c c c c c c c c c c c c c c c c c$                                       | sets an IN DATABASE pre-condition     |

Listing 1.3: yr\_sd\_runtime\_verif C++ code modeling a current bug in YEROTH-ERP-3.0 (Figure 1).

```
2
                                  "select.departements produits");
    a_last_edge_0->get_SOURCE_STATE()->set_START_STATE(true);
6
7
    a\_last\_edge\_0->get\_TARGET\_STATE()->set\_FINAL\_STATE(\mathbf{true});
8
9
    a_last_edge_0->set_PRE_CONDITION notIN("YR ASSET"
                                    departements_produits.
10
                                       nom departement produit");
11
     _last__edge__0->set__POST__CONDITION__IN("YR__ASSET",
12
13
                                  "stocks.nom_departement_produit");
14
    YR_register_set_final_state_CALLBACK_FUNCTION(& YR_CALL_BACK_final_state);
15
```

Table 1 illustrates methods for specifying pre— and post—conditions of a runtime monitor state diagram transition. Each method takes in 2 arguments of string ('QString') type: 'DB\_VARIABLE', 'db\_TABLE\_\_db\_COLUMN'.

The first method argument: 'DB\_VARIABLE', specifies which variable is to be expected as value for the specification of the second variable argument 'db\_TABLE\_\_db\_COLUMN'. The second variable gives in a string to be specified in format "DB\_table\_name.DB\_table\_column"; and its supposed value is the returned value of the first variable argument 'DB\_VARIABLE'.

These 4 pre- and post-conditions methods make assumptions that a **program variable value 'DB\_VARIABLE'** is in set "DB\_table\_name.DB\_table\_column" or not; if the value of 'DB\_VARIABLE' is in the database table column, it means it is **in the set** ( $\in$ ) of values "DB\_table\_name.DB\_table\_column"; and not being in the table column means it is **not in the set** ( $\notin$ ).

Example from the motivating example in Section 2 Listing 1.3 of the runtime monitoring specification stipulates for instance in its "line 12", as post-condition:

that 'YR\_ASSET' shall be a value in the value set  $(\in)$  of SQL table 'stocks' column 'nom\_departement\_produit'.

#### 6 Evaluation

The main experimental results in this paper demonstrate the efficacy of our tool to find errors in the SUT (YEROTH-ERP-3.0), presented in Subsection 2.2.

Table 2: SUT (YEROTH-ERP-3.0) Trace Output (Figure 4).

| CONSOLE OUTPUT LINE | SQL EVENT                     | SUT PROGRAM POINT (TRACE)                                  |
|---------------------|-------------------------------|------------------------------------------------------------|
| 21                  | "DELETE.department.YR_ASSET"  | "src/admin/lister/yeroth-erp-admin-lister-window.cpp:1603" |
| 22                  | "DELETE.merchandise.YR_ASSET" | "src/admin/lister/yeroth-erp-admin-lister-window.cpp:1626" |
| 23                  | "SELECT.department"           | "src/yeroth-erp-windows.cpp:967"                           |

#### Qualitative Results.

SUT (YEROTH-ERP-3.0) TRACING. Table 2 illustrates SUT source code trace information as presented in  $YR_DB_RUNTIME_VERIF$  console output in Figure 4. We have translated from French to English the MariaDB SQL table names.

SQL EVENT CALL SEQUENCE. A careful observation of the output in Figure 4 illustrates the following sequence:

line 23: at state D, execution of the state diagram event "'select.department'
 " (SUT button 'Delete' has been pressed at line 21):

```
select * from departements_produits WHERE nom_departement_produit = 'YR_ASSET';
```

- line 28, line 29: evaluation of the pre-condition Q0 of state D stating that product department 'YR\_ASSET' is not existent evaluates to 'TRUE' (triggering of event "delete.department.YR\_ASSET" by pressing of SUT button 'Delete' at line 21 has removed any asset department name 'YR\_ASSET').

```
*[YR_CPP_MONITOR::CHECK_PRE_CONDITION_notIN:] precondition_IS_TRUE: True **
```

– line 31, line 32: checking post–condition  $\overline{Q1}$  in state E (there are still stocks in stock department 'YR\_ASSET') evaluates to 'TRUE', thus state E is reached as an accepting state, because department name 'YR\_ASSET' still exists in SUT SQL table "stocks", as illustrated in Figure 3 of the motivating example:

```
"execQuery: select * from stocks WHERE nom_departement_produit = 'YR_ASSET';"
*[YR_CPP_MONITOR::CHECK_post_condition_IN:] postcondition_IS_TRUE: True **
```

Runtime Performance. YR\_DB\_RUNTIME\_VERIF and yr\_sd\_runtime\_verif don't incur a runtime supplemental overhead to the SUT, apart from emitting SQL events from SUT to YR\_DB\_RUNTIME\_VERIF as they occur, since no hand—shaking mechanism is used between YR\_DB\_RUNTIME\_VERIF and the SUT. The emission of an SQL event from SUT to YR\_DB\_RUNTIME\_VERIF doesn't cost more than 2 statements execution time (getting a pointer to the DBUS server, and calling a method 'YR\_slot\_refresh\_SELECT\_DB\_MYSQL' or other similar 3 methods (for INSERT, UPDATE, and, DELETE) on it).

#### 7 Related Work

- SUT source code instrumentation with specification. "Clara" [7] enables to express software correctness properties using AspectJ and dependency state machines, both as instances of the typestate formalism, a formalism that is merely used for checking correctness of programs by a static compilation (analysis) technique called typestate checking. The Clara framework weaves (instruments), and annotates a program with runtime monitors using AspectJ, then tries to optimize the weaved program by static analysis. The "residual program", meaning the weaved statically optimized program is then executed and runtime monitored by developers to detect runtime errors. Runtime monitoring tools [9,3,6,10] work as similar as the Clara framework does.
- SUT binary code instrumentation with a runtime monitor. With tracerory [13,12]", Jon Eyolfson and Patrick Lam use runtime program binary code instrumentation technique in INTEL-pin [24] to instrument running programs for purposes of detecting unread memory. I.e., tracerory doesn't generate itself a runtime monitor, it uses INTEL-pin [24] to generate a runtime monitor for its verification purposes. "Purify" [17] doesn't allow for SUT user correctness property specification. It has built-in memory access safety properties to check offline on program execution, after instrumentation of the SUT, its third-party, and vendor object-code libraries.
- Specification as set interface operations. "Hob" [22,23] is a program verification framework that enables to: characterize effects of program statement on data structures by means of all (∀, ∃, etc.) algebra abstract set interface operations; and to check that these characteristics hold or not, using static analyses.

#### - Concurrent Event Stream Analysis.

"DejaVu" [19] enables to check safety temporal property expressed in first-order past linear-time temporal logic (FO-PLTL) for events that carry data. DejaVu inputs a trace log (offline) and a FO-PLTL formula, and outputs a boolean value for each position in the inputted trace. "LogScope" [18] checks, offline, software systems correctness properties expressed using a rule—based specification language over state machines. It is not very precise what type of state machine is created and processed. "LogScope" translates specifications into C++ monitors (that could carry data). "EventRaceCommander" [2] repairs in web applications (online), event race errors, a kind of safety error.

#### 8 Conclusion And Future Work

This paper has presented a lightweight C++ Qt-Dbus [21] tool to check a program against a runtime monitor using set interface operations  $(\in, \notin)$  on program statement:  $YR_DB_RUNTIME_VERIF$ .  $YR_DB_RUNTIME_VERIF$  doesn't generate false warnings;  $YR_DB_RUNTIME_VERIF$  specifications are not desirable (forbidden) specifications (fail traces). Since the concurrent communication between  $YR_DB_RUNTIME_VERIF$  and a program occurs over the RPC (Remote Procedure Call) instance Dbus, a runtime monitor could be checked against programs written in any programming language or framework, as long as they emit the necessary SQL events to  $YR_DB_RUNTIME_VERIF$ .

Fig. 10: A Mealy Machine State Diagram Specified Using yr\_sd\_runtime\_verif Specification Language.

```
1. yr_sd_mealy_automaton_spec yr_missing_department
2. {
3. START_STATE(d):NOT_IN_PRE(YR_ASSET, departements_produits.nom_departement_produit)
4. -> / 'select.departements_produits'->
5. FINAL_STATE(e):IN_POST(YR_ASSET, stocks.nom_departement_produit).
6. }
```

Future work would be an algorithm within yr\_sd\_runtime\_verif, to extend 2-states state diagram mealy machine so to retrieve more states. The author of this paper has created a DSL (domain-specific language) and a compiler (yr\_sd\_runtime\_verif\_lang\_comp <sup>1</sup>) that enables automatic generation of yr\_sd\_runtime\_verif C++ state diagram specification code for YR\_DB\_RUNTIME\_VERIF; an example specification is to find in Figure 10.

Fig. 11: 'yr-qvge' model for the example specification in Figure 10.



Also, the author of this paper has developed a graphical drawing tool (yr-qvge) for in Section 3 defined state diagrams. A model of yr-qvge is shown in Figure 11. It is an extension of the FOSS (Free and Open Source Software) Qt Graphviz [15] drawing tool QVGE [28]. yr-qvge generates, from a model, an input file for the compiler yr\_sd\_runtime\_verif\_lang\_comp.

### 9 Acknowledgments

The author of this paper thanks Jan Peleska, and Thomas Ndie Djotio for helping him in continuing this research.

https://github.com/yerothd/yr\_sd\_runtime\_verif\_lang

#### References

- doc.qt.io/qt 5: Qt 5.15. https://doc.qt.io/qt-5 (Dec 2022), accessed last time on Dec 22, 2022 at 12:40
- Adamsen, C.Q., Møller, A., Karim, R., Sridharan, M., Tip, F., Sen, K.: Repairing event race errors by controlling nondeterminism. In: Proceedings of the 39th International Conference on Software Engineering, ICSE (2017). https://doi.org/ 10.1109/ICSE.2017.34, files/ICSE17Repairing.pdf
- Allan, C., Avgustinov, P., Christensen, A.S., Dufour, B., Goard, C., Hendren, L.J., Kuzins, S., Lhoták, J., Lhoták, O., de Moor, O., Sereni, D., Sittampalam, G., Tibble, J., Verbrugge, C.: abc the aspectbench compiler for aspectj a workbench for aspectoriented programming language and compilers research. In: Johnson, R.E., Gabriel, R.P. (eds.) Companion to the 20th Annual ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications, OOPSLA 2005, October 16-20, 2005, San Diego, CA, USA. pp. 88-89. ACM (2005). https://doi. org/10.1145/1094855.1094877, https://doi.org/10.1145/1094855.1094877
- 4. Alpern, B., Ngo, T., Choi, J.D., Sridharan, M.: DejaVu: deterministic Java replay debugger for Jalapeño Java virtual machine. In: Addendum to the Proceedings of the Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA) (2000). https://doi.org/https://doi.acm.org/10.1145/367845.368073, files/dejavu\_demo.pdf
- Bergenthal, M., Krafczyk, N., Peleska, J., Sachtleben, R.: libfsmtest an open source library for fsm-based testing. In: Clark, D., Menendez, H., Cavalli, A.R. (eds.) Testing Software and Systems. pp. 3–19. Springer International Publishing, Cham (2022)
- Bodden, E.: J-LO A tool for runtime-checking temporal assertions. Diploma thesis, RWTH Aachen University (Nov 2005), https://www.bodden.de/pubs/ bodden05jlo.pdf
- Bodden, E., Hendren, L.: The clara framework for hybrid typestate analysis. International Journal on Software Tools for Technology Transfer (STTT) 14, 307–326 (2012), https://www.bodden.de/pubs/bl2010clara.pdf, 10.1007/s10009-010-0183-5
- 8. Booch, G., Rumbaugh, J., Jacobson, I.: Unified Modeling Language User Guide, The (2nd Edition) (Addison-Wesley Object Technology Series) (2005)
- 9. Butkevich, S., Renedo, M., Baumgartner, G., Young, M.: Compiler and tool support for debugging object protocols. In: SIGSOFT '00/FSE-8 (2000)
- 10. Chen, F., Rosu, G.: Mop: an efficient and generic runtime verification framework. In: Gabriel, R.P., Bacon, D.F., Lopes, C.V., Jr., G.L.S. (eds.) Proceedings of the 22nd Conference on Object-Oriented Programming, Systems, Languages and Applications. pp. 569–588. ACM (2007). https://doi.org/10.1145/1297027.1297069
- Clarke, E.M., Grumberg, O., Kroening, D., Peled, D.A., Veith, H.: Model checking, 2nd Edition (2018), https://mitpress.mit.edu/books/model-checking-second-edition
- Eyolfson, J., Lam, P.: Detecting unread memory using dynamic binary translation.
   In: Qadeer, S., Tasiran, S. (eds.) Runtime Verification. pp. 49–63. Springer Berlin Heidelberg, Berlin, Heidelberg (2013)
- Eyolfson, J.: Tracerory; Dynamic Tracematches and Unread Memory Detection for C/C++ (2012), https://hdl.handle.net/10012/6206, mASTER OF APPLIED SCIENCES (MASc)

- froglogic.com: Home froglogic. https://www.froglogic.com/home (Dec 2022), accessed last time on Dec 18, 2022 at 20:00
- 15. graphviz.org: DOT Language | Graphviz. https://graphviz.org/doc/info/lang.html (2022), accessed last time on JUNE 8, 2022 at 12:30
- 16. Harel, D.: Statecharts: a visual formalism for complex systems. Science of Computer Programming 8(3) (1987)
- 17. Hastings, R.O., Joyce, B.A.: Fast detection of memory leaks and access errors (1991)
- Havelund, K.: Specification-based monitoring in c++. In: Margaria, T., Steffen,
   (eds.) Leveraging Applications of Formal Methods, Verification and Validation.
   Verification Principles. pp. 65–87. Springer International Publishing, Cham (2022)
- 19. Havelund, K., Peled, D., Ulus, D.: Dejavu: A monitoring tool for first-order temporal logic. pp. 12–13 (04 2018). https://doi.org/10.1109/MT-CPS.2018.00013
- https://freedesktop.org/wiki/Software/cppunit: cppunit. https://doc.qt.io/ qt-5/qtdbus-index.html (Dec 2022), accessed last time on January 01, 2023 at 12:00
- 21. doc.qt.io/qt-5/qtdbus index.html: Qt D-Bus. https://doc.qt.io/qt-5/qtdbus-index.html (Dec 2022), accessed last time on Dec 22, 2022 at 12:40
- 22. Kuncak, V., Lam, P., Zee, K., Rinard, M.: Modular pluggable analyses for data structure consistency. Transactions on Software Engineering **32**(12), 988–1005 (Dec 2006)
- 23. Lam, P.: The Hob System for Verifying Software Design Properties (February 2007)
- Luk, C.K., Cohn, R.S., Muth, R., Patil, H., Klauser, A., Lowney, P.G., Wallace, S., Reddi, V.J., Hazelwood, K.M.: Pin: building customized program analysis tools with dynamic instrumentation. In: PLDI '05 (2005)
- 25. MariaDB.org: MariaDB Foundation MariaDB.org. https://www.mariadb.org (Jun 2022), accessed last time on June 24, 2022 at 12:20
- Noundou, X.N.: YEROTH-ERP-PGI-3.0 Doctoral Compendium. https://archive.org/download/yeroth-erp-pgi-compendium\_202206/JH\_NISSI\_ERP\_PGI\_COMPENDIUM.pdf (Jun 2022), accessed last time on January 21, 2023 at 23:24
- 27. Peleska, J., ling Huang, W.: Test automation; foundations and applications of model-based testing. https://www.informatik.uni-bremen.de/agbs/jp/papers/ test-automation-huang-peleska.pdf (2021), accessed last time on May 06, 2023 at 12:00
- showroom.qt.io: QVGE; Qt Visual Graph Editor | Showroom. https://showroom.qt.io/qvge-qt-visual-graph-editor (Jun 2022), accessed last time on Jun 27, 2022 at 12:40
- 29. Wikipedia.org: Mealy machine. https://en.wikipedia.org/wiki/Mealy\_machine (Dec 2022), accessed last time on Dec 15, 2022 at 12:00
- 30. Wikipedia.org: SQL Wikipedia. https://en.wikipedia.org/wiki/SQL (Feb 2023), accessed last time on February 08, 2023 at 12:00